Ubuntu – Editing /etc/sudoers to allow Winbind Group members to Only sudo to 1 Local User

active-directorypermissionssudouser-management

I have multiple Ubuntu Linux hosts that need to connect to Active Directory for user management (unfortunately an actual LDAP server was not an option here…) and have configured Winbind to handle authentication, and my %sudoers group entry works fine:

## Allow AD members of the service group restricted user access to that account
%sudoers ALL=(ALL:ALL) NOPASSWD:ALL

I have allowed password authentication in the ssh config and have added the following entry to my sudoers file for the account:

%service ALL=(service:service) NOPASSWD:ALL

This doesn't even find the group even though the sudoers group and the service groups are at the same level in the directory tree on the AD server. When I do this:

%domain.local\\service ALL=(ALL:ALL) NOPASSWD:ALL

…members of the service group are able to log in and have full sudo rights, including root which is unacceptable, and already covered by the sudoers group and entry. Alternatively when I do this:

%domain.local\\service ALL=(service:service) NOPASSWD:ALL

…members are unable to sudo to any user. As for the service user, here is the /etc/passwd entry for the service user:

service:x:1001:16777230::/opt/service:/bin/bash

Per the Sudoers Man Page this last entry should probably work, but for some reason it doesn't. Also, the %service should also probably cover both local and AD provided membership but it doesn't seem to. When I create this user since there is already a group in the directory server named service here is how I am creating the service user account:

useradd -d /opt/service -g service service

Here is the output of sudo -l for a member of the group:

[user.test@server ~]$ sudo -l
Matching Defaults entries for user.test on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User user.test may run the following commands on this host:
    (service : service) NOPASSWD: /opt/service

What am i missing here?

Best Answer

I found the solution. We needed to set the login shell and path to the sudoers entry for the service user's home like so:

%domain.local\\service ALL=(service) NOPASSWD:/bin/bash, /opt/service/*

Now we are able to enter the following to become the service user:

$ sudo -i -u service
$ whoami
service
$ pwd
/opt/service

Solution

I had up until 10 minutes ago, only noticed that sudo wasn't working. As most of my work takes place in tmux, I never noticed my user account.

Upon first logging in I would get the following error:

-bash: /etc/profile Permission denied

And it would set me to: I have no name@<ipaddress> as my account.

So I did some research on this issue and found more results then the other issue. Including one result that was a perfect match for my situation, as found here.

The issue was that my /etc/ folder was missing the execute permission on the group. So executing: chmod g+x /etc fixed the issue after logging out and back in.

Thanks

Thanks for the help in the comments, the suggestions you gave were still valuable and helped narrow down the problem more. In the end it was far simpler then it seemed.

Ubuntu – sudo: unable to stat /etc/sudoers: No such file or directory, sudo: no valid sudoers sources found, quitting

In order to fix this, you can either reinstall sudo, or download a default /etc/sudoers and edit it. Both ways require these steps: First, restart your computer. When the Grub screen displays, instead of choosing Ubuntu xxx, choose Advanced options for Ubuntu xxx. Under Advanced Options, choose Recovery mode. The second step is to mount your partitions rw. To do this, choose Clean packages, Ok, and then when you see the recovery screen again, select Root shell. Enable the wifi from the root shell. Either reinstall sudo:

apt-get install --reinstall sudo

or insert this into /etc/sudoers:

# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults    env_reset

# Uncomment to allow members of group sudo to not need a password
%sudo ALL=NOPASSWD: ALL

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Members of the admin group may gain root privileges
# %admin ALL=(ALL) ALL

(from Sudoers Ubuntu Wiki)

Before restarting, su back to your normal user, and try sudo apt-get upgrade or anything with sudo. If it works, then reboot. Otherwise, comment with the error message.

Best Answer

Related Solutions

Ubuntu – sudo: unable to stat /etc/sudoers: No such file or directory – File Exists

Solution

Thanks

Ubuntu – sudo: unable to stat /etc/sudoers: No such file or directory, sudo: no valid sudoers sources found, quitting

Related Question